The WebOrion Software Solutions Cross Site Request Forgery (CSRF) www.theweborion.com [email protected]
The WebOrion Software Solutions
Cross Site Request Forgery(CSRF)
www.theweborion.com [email protected]
THE WEBORION SOFTWARE SOLUTION
Cross-site request forgery, also known as one-click attack or session riding and abbreviatedas CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit ofa website where unauthorized commands are transmitted from a user that the webapplication trusts. There are many ways in which a malicious website can transmit such commands;specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example,can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particularsite, CSRF exploits the trust that a site has in a user's browser.
THE WEBORION SOFTWARE SOLUTION
History
CSRF vulnerabilities have been known and in some cases exploited since 2001.Because it
is carried out from the user's IP address, some website logs might not have evidence of
CSRF.
Exploits are under-reported, at least publicly, and as of 2007 there were few well-
documented examples:
1.The Netflix website in 2006 had numerous vulnerabilities to CSRF, which could have
allowed an attacker to perform actions such as adding a DVD to the victim's rental queue,
changing the shipping address on the account, or altering the victim's login credentials to
fully compromise the account.
2.The online banking web application of ING Direct was vulnerable to a CSRF attack that
allowed illicit money transfers.
THE WEBORION SOFTWARE SOLUTION
HTTP VERBS AND CSRF
Different HTTP request methods have different levels of susceptibility to CSRF attacks and
require different levels of protection due to their different handling by web browsers.
In HTTP GET the CSRF exploitation is trivial, using methods described above, such as a
simple hyperlink containing manipulated parameters and automatically loaded by an IMG
tag.By the HTTP specification however, GET should be used as a safe method, that is,
not significantly changing user's state in the application. Applications using GET for such
operations should switch to HTTP POST or use anti-CSRF protection.
HTTP POST has different vulnerability to CSRF, depending on detailed usage scenarios:
In simplest form of POST with data encoded as a query string (field1=value1
field2=value2) CSRF attack is easily implemented using a simple HTML form and anti-
CSRF measures must be applied.
1.
2.
THE WEBORION SOFTWARE SOLUTION
HTTP VERBS AND CSRF
If data is sent in any other format (JSON, XML) a standard method is to issue a POST
request using XMLHttpRequest with CSRF attacks prevented by SOP and CORS; there
is a technique to send arbitrary content from a simple HTML form using ENCTYPE
attribute; such a fake request can be distinguished from legitimate ones
by text/plain content type, but if this is not enforced on the server, CSRF can be
executed
other HTTP methods (PUT, DELETE etc.) can only be issued
using XMLHttpRequest with SOP and CORS and preventing CSRF; these measures
however will not be active on websites that explicitly disable them using Access-Control-
Allow-Origin: * header
THE WEBORION SOFTWARE SOLUTION
LIMITATION
Several things have to happen for cross-site request forgery to succeed:
The attacker must target either a site that doesn't check the referrer header or a victim
with a browser or plugin that allows referer spoofing.[citation needed]
The attacker must find a form submission at the target site, or a URL that has side
effects, that does something (e.g., transfers money, or changes the victim's e-mail
address or password).
The attacker must determine the right values for all the forms or URL inputs; if any of
them are required to be secret authentication values or IDs that the attacker can't guess,
the attack will most likely fail (unless the attacker is extremely lucky in their guess).
The attacker must lure the victim to a web page with malicious code while the victim is
logged into the target site.
The attack is blind: the attacker cannot see what the target website sends back to the
victim in response to the forged requests, unless they exploit a cross-site scripting or
other bug at the target website.
1.
2.
3.
4.
5.
THE WEBORION SOFTWARE SOLUTION
Prevention
synchronizer token pattern (STP) is a technique where a token, secret and unique
value for each request, is embedded by the web application in all HTML forms and
verified on the server side. The token may be generated by any method that ensures
unpredictability and uniqueness (e.g. using a hash chain of random seed). The attacker
is thus unable to place a correct token in their requests to authenticate them.
Security experts propose many CSRF prevention mechanisms. This includes, for
example, using a referer header, using the HttpOnly flag, sending an X-Requested-
With custom header using jQuery, and more. Unfortunately, not all of them are effective
in all scenarios. In some cases, they are ineffective and in other cases, they are difficult
to implement in a particular application or have side effects. The following
implementations prove to be effective for a variety of web apps while still providing
protection against CSRF attacks.
THE WEBORION SOFTWARE SOLUTION
About TheWeborion
WebOrion™ – Trusted brand since 2012 for Cyber Security
Our experts convert ideas into reality and add value to our customers by providing quality Cyber
Security solutions.
We thrive in providing security to all types of applications focusing on preventing cyber attacks and
data clean-up after cyber incident.
Learn more:
Phone: +1-(202)-765-7053
Email: [email protected]
Website: www.theweborion.com